Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Similar documents
Cloud Security and Managing Use Risks

Cloud Computing Governance & Security. Security Risks in the Cloud

Security Issues in Cloud Computing

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Cloud Security Introduction and Overview

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

FACING SECURITY CHALLENGES

Anatomy of a Cloud Computing Data Breach

Cloud Security. DLT Solutions LLC June #DLTCloud

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Requirements Engineering for SaaS Application Security in Cloud Using SQUARE Methodology

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Information Security and Risk Management

Compliance and Cloud Computing

A Secure System Development Framework for SaaS Applications in Cloud Computing

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Information Security in Business: Issues and Solutions

Risks and Challenges

Hedge Funds & the Cloud: The Pros, Cons and Considerations

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Security in the Green Cloud

How To Protect Your Cloud Computing Resources From Attack

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond!

D. L. Corbet & Assoc., LLC

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

Cloud Security:Threats & Mitgations

10 Smart Ideas for. Keeping Data Safe. From Hackers

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Making Sure Cloud Security is Not Up in Smoke: Integrating Protection in the Acquisition Process Digital Government Institute Cloud-Enabled

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Chapter 6: Fundamental Cloud Security

Library Systems Security: On Premises & Off Premises

Privacy + Security + Integrity

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

HIPAA Compliance Evaluation Report

F G F O A A N N U A L C O N F E R E N C E

Survey about Cloud Computing Threats

Capturing the New Frontier:

Keyword: Cloud computing, service model, deployment model, network layer security.

John Essner, CISO Office of Information Technology State of New Jersey

Data Security Incident Response Plan. [Insert Organization Name]

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Data Security and the Insider Threat

What Cloud computing means in real life

Cloud Security: An Independent Assessent

How to ensure control and security when moving to SaaS/cloud applications

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Cloud Data Security. Sol Cates

Data Management Policies. Sage ERP Online

Security Framework for Cloud Computing Environment: A Review Ayesha Malik, Muhammad Mohsin Nazir

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

ISO Controls and Objectives

Assessing, Evaluating and Managing Cloud Computing Security

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Cloud Security and Technology Adoption. By John Mathon VP, Enterprise Evangelism and Product Strategy May 2015

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

External Supplier Control Requirements

Compiled by; Mark E.S. Bernard, ISO Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

SECURITY THREATS TO CLOUD COMPUTING

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Proactively Secure Your Cloud Computing Platform

On Premise Vs Cloud: Selection Approach & Implementation Strategies

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Top Threats Working Group. The Notorious Nine. Cloud Computing Top Threats in February 2013

The Elephant in the Room

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

A Review : Security Framework Information Technology for University Based on Cloud Computing. E.S. Negara, R. Andryani

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Practical Overview on responsibilities of Data Protection Officers. Security measures

An Information Security and Privacy Perspective for Procurement Services Projects

Hengtian Information Security White Paper

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

Does it state the management commitment and set out the organizational approach to managing information security?

How Data-Centric Protection Increases Security in Cloud Computing and Virtualization

The silver lining: Getting value and mitigating risk in cloud computing

Cloud Courses Description

Cloud Security: Critical Threats and Global Initiatives

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments

Assessing Risks in the Cloud

Cloud Courses Description

INFORMATION TECHNOLOGY SECURITY STANDARDS

Top Threats to Cloud Computing V1.0. Prepared by the Cloud Security Alliance March 2010

New Requirements for Security and Compliance Auditing in the Cloud

Zak Khan Director, Advanced Cyber Defence

2015 Cloud Security Survey. Security and privacy of sensitive data remains the most disturbing concern for 63% of organizations

Transcription:

Is it Time to Trust the Cloud? Unpacking the Notorious Nine Jonathan C. Trull, CISO, Qualys Cloud Security Alliance

Agenda Cloud Security Model Background on the Notorious Nine Unpacking the Notorious Nine Summary Is it time to trust the cloud? 2

Introduction Jonathan C. Trull CISO for Qualys a pioneer and leading provider of cloud security and compliance solutions. Formerly the CISO for the State of Colorado, the first state in the country to adopt a Cloud First strategy. Lieutenant Commander in the U.S. Navy Reserve focused on computer network attack and defense.

Cloud Security / Privacy in Popular Media

You manage You manage You manage Cloud Services Models On Premise IaaS PaaS SaaS Managed by vendor Managed by vendor Managed by vendor

You manage On-Premise Model All resources managed by the end-user organization. Everything is private and controlled.

You manage You manage IaaS On Premise IaaS Virtual infrastructure Managed by vendor Virtual desktop Backup and recovery Managed cloud security

You manage You manage You manage PaaS On Premise IaaS PaaS Managed by vendor Managed by vendor

You manage You manage You manage SaaS On Premise IaaS PaaS SaaS Managed by vendor Managed by vendor Managed by vendor

Who owns which controls? Cloud Services Provider SaaS PaaS IaaS On Premise Customer

The Notorious Nine Purpose: To provide organizations with an up-to-date, expertinformed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies. Methodology: CSA conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. The CSA Top Threats working group used these survey results alongside their expertise to craft the final 2013 report.

What is a threat? According to NIST, a threat is any circumstance or event with the potential to adversely impact organizations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. Threat events are caused by threat sources. For threat sources, think adversarial tactics, techniques, and procedures (TTPs) or human errors of commission or commission, structural failures of organization-controlled resources, natural and man-made disasters, accidents and failures beyond the control of the organization.

Threats vs. Vulnerabilities

1. Breaches 2. Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Meet the Notorious Nine

Threat # 1: Breaches A security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Threat # 2: Loss An error condition in information systems in which information is destroyed by failures or neglect in storage, transmission, or processing.

Threat # 3: Account or Service Traffic Hijacking A process through which an individual s email account, computer account, or any other account associated with a computing device is intentionally stolen or hijacked for nefarious purposes.

Threat # 4: Insecure Interfaces and APIs Application programming interfaces that contain vulnerabilities or weaknesses that allow sensitive data and/or services to be exploited by unauthorized parties.

Threat # 5: Denial of Service An interruption in an authorized user s access to a computer network or service, typically caused by malicious intent.

Threat # 6: Malicious Insiders A current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

Threat # 7: Abuse of Cloud Services Use of legitimate cloud computing resources for evil.

Threat # 8: Insufficient Due Diligence Adoption of cloud computing services without fully understanding the risks of such a deployment or without performing sufficient third party validation of cloud servicer providers security and privacy controls.

Threat # 9: Shared Technology Vulnerabilities Vulnerabilities in key technologies that make cloud computing possible e.g., hypervisors.

Is it time to trust the cloud? Technically, cloud computing is not better or worse than traditional computing, just different Likelihood of some risks goes up while others go down Cloud computing not responsible for the majority of actual data breaches occurring across the globe. ----- As such, we are often asked whether the Cloud factors into many of the breaches we investigate. The easy answer is No-not really. (Source: Verizon Breach Report)

Thank You jtrull@qualys.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information